Top 10 Data Security Challenges for e-Commerce

Challenge

Pain

Solution

More “Cutting Edge” Tech → More Work for the AppSec Team

New “cutting edge” tech (e.g. GraphQL, Websockets, gRPC):

  • Creates new attack vectors, new modification of previously known attacks, etc.
  • Introduces blind spot in testing coverage and protection

Existing tooling often can t protect and test even XML/JSON APIs and are reluctant to introduce support for the new protocols

Sophisticated API protection functionality

gRPC, GraphQL, Websockets, REST, JSON, XML, SOAP and dozens more protocols are natively supported by Wallarm WAF

Bots and Account Takeover

  • Bots and Account Takeover Scrappers - scrap prices, descriptions, stock details, inventory photos etc.
  • API Abuse - stolen coupon codes, fraud with customer loyalty programs
  • Account Takeover (Credential Stuffing) - using earlier leaked user credentials

Bots are different. From cURL to a Full-Browser-Stack bots. Bots are evolving in time and getting more and more difficult to identify. Bots create a high volume of traffic.

Wallarm protects against

credential stuffing, API abuse, coupon codes enumeration, and other malicious activity that is typical for E-commerce companies.

It's Hard for AppSec to Keep Up with the High Velocity of Development

  • Frequent releases (2+ times a week) make manual testing not sufficient. Need to introduce security tooling right into development pipelines
  • A lot of security tooling is not ready to work in the reality of CI/CD and requires reconfiguration

Machine Learning

dynamic blocking rules instead of static signatures for each application. Continuously updated API-specific signature-free security rules generated by AI.

False Positives Kill Revenue

  • One blocked request to API → one lost customer.
  • Bad experience with online retail instantly moves customers somewhere else to buy the same item there.
  • WAF fine-tuning is a nightmare. Need a dedicated engineer or team for tedious effort.
  • Fast velocity of development (CI/CD) makes WAF rules tuning almost impossible.
  • Most people end up not using blocking mode at all

98% of Wallarm customers use Wallarm WAF in fully blocked mode.ticated API protection functionality

Unlike traditional WAFs, Wallarm doesn’t need manual tuning and investments into ongoing maintenance to minimize false positives. It just works.

Hard to find tools that would fit a hybrid environment (legacy, cloud, cloudnative)

  • Multiple CDNs (CDN WAF is not an option anymore?)
  • Multiple clouds with cloud-specific WAF’s (e.g.: AWS WAF is not an option for GCP)
  • Hybrid clouds: legacy apps in private DC and modern apps in the public cloud.
  • Challenges:
    • 1.

      Need to address risks from every used platform.

    • 2.

      Need to deal with multiple security products or find solutions that will work across environments.

Platform agnostic

Bare metal, cloud providers, K8s, your own platform, or a mix of everything.

Hybrid architecture

Integrate Web & API protection right into publicly exposed endpoints without extending security perimeter. Wallarm cloud-based analytics backend allows to dynamically monitor WAF behavior and automatically adjust it to minimize false positives.

Public Cloud friendly

Available as images on AWS & GCP.

Scaling, uptime & latency

  • A lot of tools still cannot be easily deployed in cloud-native environments (Kubernetes, ServiceMesh).
  • DevOps teams require their security tools to be deployed, managed and monitored in the same way they manage everything else.
  • Latency is a blocker as it affects UX and conversion rates. Companies will be reluctant to introduce security tools which potentially increase end user response time.

Ease of use

DevOps teams like Wallarm as they can automate deployment, updates and monitoring with their existing tools such as Terraform or Ansible. It also meets the most strict requirements for added latency.

Integration into existing DevOps workflow & tool chain

  • DevOps teams want to use a consistent and minimal set of management tools and practices (Terraform, Docker, Kubernetes, Ansible, Puppet, Chef, etc), and want to easily integrate new security tooling into established system management procedures
  • Infrastructure-As-Code approach is vital for any DevOps engineering process, and not all marketed security tools can be easily integrated in IaC workflow

Multi-platform deployment options

NGINX, NGINX Plus, Kubernetes Ingress, Kong API Gateway, AWS, GCP, Docker, Envoy

Discovered Vulnerabilities are prioritized & reported in the Wallarm console UI & also can be dispatched to any supported integrations like Sumo Logic, Rapid7, Splunk, Slack, e-mail, OpsGenie, PagerDuty.

Different Business Units (brands) have their own Teams, Practices, and Requirements

  • Large e-Commerce may have multiple brands that operate as different business units.
  • Every business unit may have its own tooling, procedures, integrations and may require isolation from other units.
  • Sub-accounts, RBAC, SAML SSO, MFA and audit log features become a strict requirement

Management of sub-accounts (“Single pane of glass” approach):

Gives every team a level of visibility and control over the protection of their assets while keeping an option to manage the entire portfolio from a single dashboard. Wallarm offers enterprise features like SAML SSO, RBAC, audit log.

Compliance

  • In addition to being in the crosshairs of cyber attacks, E-Commerce face a growing number of significant regulatory requirements.
  • These include Payment Card Industry Data Security Standard (PCI-DSS) & and EU General Data Protection Regulation (GDPR).
  • Among many other security requirements, companies have to protect their websites & API’s, perform external security scans and regularly test their software for security vulnerabilities.

Wallarm is also a SOC2 Type II compliant business.

Wallarm strengthens security posture and keeps the traffic on-premises while helping to meet PCI compliance.

Protect Legacy and New Applications

  • There is a constant need to revamp e-commerce platforms, websites, or both. A modern business should be ready to grow online sales and improve business efficiency.
  • However, there is always baggage in the form of legacy systems (e.g. “custom processes” CRM and ERP)
  • Aged, antiquated systems are always less secure as hackers identify unpatched vulnerabilities. Moreover, legacy systems are frequently not maintained.
  • Updating a legacy system might be costly. So, remediating identified vulnerabilities using a third-party security solution is critical.

Wallarm WAF provides protection

for both legacy applications (which cannot easily be patched or fixed to address newly discovered vulnerabilities) and newly developed software (which may suffer from security issues caused by rapid development pace and/or lack of comprehensive security testing).